Security · ~7 min
Coding models invent package names that exist in no registry. Most are one-offs — but 43% reappear on every re-run, and a stable hallucination is a name an attacker can register and wait for.
uv add or npm install commands is
a supply-chain actor. Slopsquatting turns the model's training-distribution bug into an install of attacker-controlled
code. You can't prompt the hallucination away — so the defense is the install authority, not the model.Slopsquatting: an LLM recommends a package that exists nowhere, an attacker pre-registers that name on PyPI or npm, and the agent's install pulls the malware. The term — coined by a Python Software Foundation developer-in-residence — is "AI slop" plus "typosquatting." The package doesn't exist until an attacker creates it.
Spracklen et al. ran 576,000 code generations across 16 models and checked every recommended package against the registries:
| Measurement | Result |
|---|---|
| Hallucination rate — commercial models | 5.2% |
| Hallucination rate — open-source models | 21.7% |
| Names reappearing in every one of 10 re-runs | 43% |
| Names ≥6 Levenshtein distance from any real package | 48.6% |
Registry-side typosquat heuristics key off small edit distance from popular names. But 48.6% of hallucinated names sit Levenshtein distance ≥6 from any real package — they're not typos, they're plausible syntheses. The detectors look for the wrong shape. The proof of concept is concrete:
Bar Lanyado registered huggingface-cli on PyPI as a benign empty artifact after seeing LLMs
repeatedly recommend it in place of the real huggingface-hub. Within three months it received
>30,000 authentic downloads and was pulled into the README of Alibaba's
GraphTranslator as an install dependency. The payload was harmless — but it confirmed a hallucinated
name on a public registry gets installed at scale, by humans and build pipelines alike.
The hallucination prior can't be prompted away, so every defense routes around it by gating install:
Lockfile-enforced installs (npm ci, uv pip sync with hashes), an internal mirror that
refuses unknown upstream packages, a pre-install existence + provenance check, or removing the install leg entirely
and requiring a human-reviewed PR — each closes the vector. The defense to not invest in is
registry-side typosquat detection; the edit-distance distribution shows it misses the bulk of the surface. Where
lockfiles or curated mirrors already run, the slopsquatting-specific check is redundant — exposure concentrates
wherever an agent's install authority bypasses that hygiene.
npm ci / uv pip sync fail closed on any unendorsed name.Retrieval practice — recall, don't peek
Question 1What makes slopsquatting economically viable for an attacker is that…
Question 2Registry-side typosquat detectors miss most slopsquatted names because…
Question 3The Lanyado huggingface-cli PoC showed that a hallucinated name…
Question 4The durable defense against slopsquatting is to gate…
Question 5 · spaced recall from Lesson 12Workload Identity Federation replaces a static API key with…
uv add hook,
or audit which of your pipelines install outside a lockfile? Next, the last content lesson: The URL Is the
Leak — exfiltration through the request itself.